Solved - lede - openwrt torguard vpn setup

LEDE - OPENWRT TORGUARD VPN SETUP

Regards
Mike

OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running.
I use davidc502 firmware which is described as Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here - https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads -

Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide will work Guaranteed if you follow instructions step by step.

Mike // Staff

Thank you, can you check if the steps below works ok for you

1. Then in Luci Gui go to System > Software, do update first ( ssh command opkg update )
   then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn )

These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable.

2. Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt.

3. Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn

To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install

nano ( preferred text editor ) - opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds )

to your router. SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file you copied and downloaded earlier.

Sample of my /etc/config/openvpn config file - adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide -

config openvpn 'TorGuard_AES256GCM_SHA256'
option client '1'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/torguard/ca.crt'
option remote_cert_tls 'server'
option tls_auth '/etc/openvpn/torguard/ta.key 1'
option cipher 'AES-256-GCM'
option comp_lzo ‘adaptive’ # AS of March 2018 and OpenVpn 2.4.5 use option compress ‘lzo’
option verb '4'
option fast_io '1'
option auth_user_pass '/etc/openvpn/torguard/userpass.txt'
option remote_random '0'
option auth 'SHA256'
option reneg_sec '0'
option port '1195'
list remote 'ny.east.usa.torguardvpnaccess.com'
option sndbuf '393216'
option rcvbuf '393216'
option enabled '1'
option keepalive '10 120'
option auth_nocache '1'
option tls_client '1'
option setenv 'CLIENT_CERT 0'
option tls_version_min '1.2'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
option tun_mtu '1500'
option tun_mtu_extra '32'
option ncp_disable '1'
option engine 'dynamic'
option mute_replay_warnings '1'
option disable_occ '1'
option keysize '256'
option mssfix '1450'
option script_security '2'
option reneg_bytes '1073741824'
option mute '20'
option pull '1'
option log '/tmp/openvpn.log'

Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell

4. create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt and create new file userpass.txt where in it put on first line your vpn username and second you vpn password.

Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard " ( without parenthesis ) - in order to proceed -

opkg install wget ( if you need to install wget )

ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary

files to /etc/openvpn/torguard folder which you just created : type the following commands in shell

A - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key " ( without parenthesis ) - copy and paste - ( ta.key is downloaded to

/etc/openvpn/torguard folder )

B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt " ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to

/etc/openvpn/torguard folder )

C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt " ( without parenthesis ) - in new text file type ( copy and paste ) in first line your

TorGuard Vpn username and on second line your TorGuard Vpn password - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then (

Ctrl + x ) to close file and go back into shell - userpass.txt is now added under /etc/openvpn/torguard/ folder as well

Now - these commands are required from my past experience - still in SSH type ( copy and paste )

chmod 0777 /etc/openvpn/torguard/ta.key chmod 0777 /etc/openvpn/torguard/ca.crt chmod 0400 /etc/openvpn/torguard/userpass.txt

There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will

feature is through the command line shell - using uci commands.

The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more

secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create

an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED !

Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other.

Scenario A -

TorGuard OpenVpn Network Interface Creation and Setup via command line - uci

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

TorGuard OpenVpn Firewall Rules Setup via command line - uci

uci add firewall zone
uci set firewall.@zone[-1]=zone
uci set firewall.@zone[-1].name=myvpnc_fw
uci set firewall.@zone[-1].network=myvpnc
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].masq=1
uci set firewall.@zone[-1].mtu_fix=1
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=myvpnc_fw
uci commit firewall
reboot

Scenario B -

TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup

1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface " at top of page is set to " Unmanaged " and at bottom of page select " Custom " and enter " tun0 " ( tun number zero ) in the field next to custom radio button.

Click On Submit then Save and Save and Apply Settings

2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options ) input/output/forward/masquarde, ( check " masquerade " box under where you accepting all .
Then choose - enter check mark in box next to interface VPN ( Covered networks ).
Then in bottom box " Inter-Zone Forwarding " ( Allow forward to destination zones: ) = LAN and then

( Allow forward from source zones: ) = LAN

This means click both radio buttons next to lan in last section on firewall " newzone " you just created.

Lastly, Click On Save and Save and Apply Settings -

3 ) Go to Services > Openvpn and start the VPN service.

All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time

if they run TorGuard VPN. By the way, it is an excellent VPN service. Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support.

Let us know if you have any further questions.

Regards
Mike

LEDE - OPENWRT TORGUARD VPN SETUP

@directnupe - would you consider adding this to the wiki? There's a "Howto" section where it would fit perfectly - for example, at: https://lede-project.org/docs/howto/openvpn.torguard

This would make it more easily "findable" for people who're checking the doc's. Thanks.

Dear Rich,
*Happy Holidays - I most certainly do so. And I have tweaked and perfected
the recipe. *

God Bless and Peace to The world -

DIT

Dear Rich,
I put it on the Wiki as you asked but I had problems with the formatting making it difficult if not impossible to read.
Hopefully you can help. You can edit the post if you like or simply repost it. Let me know what happens. In the meanwhile, I will put the guide up here in its' revised edition.
Happy New Year -

directnupe

@directnupe Thanks for posting. I got a start at formatting the text, but ran out of time (I'm off for my own new year's festivities I think you can see the pattern for fixing the rest of the page at: https://lede-project.org/docs/howto/openvpn.torguard

Thanks again!

No problem - it was my pleasure and I am glad for your help with this and your suggestion. Enjoy your time out and be safe out there. God Bless - it is good of you to follow up and your efforts to help others. After all we are a community.
Peace-

directnupe

PS - Yes ! I got a look at it and you did an outstanding job of editing and formatting the post. Nothing beats good teamwork.

@richb-hanover I'll sound like the Grinch a bit, but it's for a good cause.

Please make sure the page is accessible somehow from within the wiki (it was not). Don't add wiki pages without a link in a wiki main page to reach them, even if half-finished. It's easy to forget that and none will be able to see/contribute to the page (outside of people coming from here or madmen like me that chose to get notified of all activity on the wiki so I can do "maintainer" role to some extent).

Also, can you show me where is the "howto" section coming from? I'd like to keep all tutorials in the "user-guide" section but I keep seeing people make pages in that section that has no landing page, and also make no links to reach the pages in it.

I'll now be doing some more formatting, checking commands if they work from default lede firmware, cleanups and such. That page will also be moved that page into user-guides section, and made accessible through a link in the VPN section of "Additional Services" here: https://lede-project.org/docs/user-guide/start#additional_services

Happy new year and merry things from a grumpy Grinch.

God Bless You - and I do not think that you are the Grinch. Quite the contrary - I am always willing to learn. I hope the page is open to all - I see it here- LEDE Documentation then LEDE User Guide
and then Torguard VPN Setup.
The wiki entries were above my pal grade. Happy New Year and Peace -

directnupe

@bobafetthotmail Nice job updating the Torguard page. I also agree that moving it from the (now deleted) 'howto' directory into the 'user-guide' section makes sense. Thanks!

Dear Rich - Happy New Year - even better - the guide that we put together is listed thusly -

1- LEDE Documentation

2- LEDE User Guide

3 - Scroll Down The Page

Look Under Additional Services

4 - VPN services:

5 - Torguard VPN Setup

So you did a beautiful job with the document. I got this guide from TorGuard Support added my own tweaks from things I picked up over the years. I am a retired English Teacher so I did my best to make it simple. Unfortunately, I mixed my instructions with their " raw and unvarnished " instructions.
Anyway, all's well well that ends well.

God Bless us all in Peace,

directnupe

@directnupe - thanks for the compliments, but @bobafetthotmail did all the heavy lifting.

Peace

Rich

Dear @richb-hanover-priv and @bobafetthotmail
How are you doing? You may remember that I put together the TorGuard OpenVpn tutorial in the Lede Forum which you had posted to the OpenWrt / Lede Docs. You actually told me at the time and I quote " @bobafetthotmail did all the heavy lifting." with regards to formatting and getting it in the guides.
Well as of late march 2018 - OpenVpn 2.4.5 is out and there has been a major change in the config file which is need in order to connect to the TorGuard servers.
It is referenced here below:

The link - https://forum.openwrt.org/viewtopic.php?id=64949&p=209 about half the way down the page on this Davidc502 LEDE thread - it states

The syntax in the new openvpn version changed a bit. Change the above line from

option comp_lzo 'yes' and / or option comp_lzo 'adaptive'
to
option compress 'lzo'
and TorGuard OpenVpn will work again.

As I do not know how to edit the OpenWrt / Lede Wiki Guides and Documents - I hope that you can edit the guide so that folks will be able to successfully connect to the remote TorGuard servers.

Here is the direct link to the original Torguard VPN Setup which we worked to make available :
https://openwrt.org/docs/guide-user/services/vpn/openvpn.torguard

So, I have done my due diligence and I hope you and Bob can update the information. Happy Easter and / PassOver and

God Bless You and Loved Ones Always In Peace and God's Grace,

Directnupe

PS - Upcoming Changes To OpenVpn Options

https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Thanks for the suggestion and Have a Good Easter and / or PassOver

Peace,
Directnupe

I praise your dedication on keeping the information up-to-date, we really need people that cares about keeping the wiki updated and correct as things change.

But I would really appreciate if you could do minor edits to keep pages up-to-date on your own. Fixing formatting on a whole page was too complex and I'm OK with doing it myself, but I think minor edits are within your reach.

We have a public wiki so we can have people contribute independently without asking maintainers on every little thing. Maintainers should only be called on more complex tasks than doing minor edits to a page.

I don't want to sound rude or arrogant nor turn down your request to keep the page updated, I'm just trying to explain what is our idea of wiki and community, why I don't like doing these minor edits on your behalf, and why I encourage you to do these yourself.